Renewing Internal Certificates –> The Easy Way
Internal certificates for Exchange expire. End of.
You need to be wary, and keep an eye on your Event logs (especially for any Hub Transport or Edge role servers), and look for the following error message;
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12018
The STARTTLS certificate will expire soon: subject: SERVER.DOMAIN.LOCAL, hours remaining: A41370EEC5510BD5D5F3D1DB4A8D27846F045A2C. Run the New-ExchangeCertificate cmdlet to create a new certificate.
When you get these, it’s easy enough to fix.
Note the services the certificate is enabled for (by default: POP, IMAP, IIS, SMTP on CAS + HT servers). Copy the thumbprint of the certificate, and run the following;
If the certificate is SMTP enabled, you will get the following error message;
Select [Y] for Yes.
Checking the certificate again, you should find the new one installed with a new expiry date (and the old one too);
If you wish to use the Certificate for IIS also, type the following;
Ok, last bit. Test the certificates are working, then remove the old;